module_utils: require X_OK when checking cwd sanity #69201
+6
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ansibot
added
affects_2.10
|
The CI errors look like false alarms. |
|
Closing and re-opening to trigger a new CI build, as explained in https://docs.ansible.com/ansible/latest/dev_guide/testing.html#rerunning-a-failing-ci-job |
|
/rebuild_failed |
ansibot
added
core_review
|
Hi @seirl, could you please add a changelog entry to this PR, as well as an integration test to show the new behavior is correct? Thanks! |
jimi-c
added
needs_revision
ansibot
removed
the
core_review
|
Sure, could you point out where this test would fit? The commit that introduces this function doesn't have a test attached to it, so I'm not sure where the previous behavior was tested. |
Every time an Ansible module is run, it checks that it is running from a "sane" working directory, a.k.a where it has the permission to be. This is because when running commands, it might temporarily change its working directory, then later restore pop the cwd to the previous one. Therefore, if the module is not run from a working directory where it has the permission to be, the module will execute fine, but then fail when trying to restore to the previous directory. Up until now the way this cwd "sanity" was checked was by checking for the F_OK and R_OK permissions, which respectively check that the directory exists and is readable. However, this is actually not sufficient to check whether you can cwd to it! You also need to check for X_OK, which for directories mean that the directory is searchable. See for example: >>> cwd = os.getcwd() >>> cwd '/root' >>> os.access(cwd, os.F_OK | os.R_OK) True >>> os.access(cwd, os.F_OK | os.R_OK | os.X_OK) False >>> os.chdir(cwd) Traceback (most recent call last): File "<stdin>", line 1, in <module> PermissionError: [Errno 13] Permission denied: '/root' Basically, this means that Ansible will fail every time you run a "become" command from a directory with the mode o+r-x. This commit fixes this issue by adding a requirement for X_OK when checking the sanity of the current working directory.
|
I added the changelog entry. |
ansibot
added
core_review
mattclay
added
the
ci_verified
ansibot
removed
the
ci_verified
mattclay
added
the
ci_verified
ansibot
added
needs_revision
ansibot
added
the
stale_ci
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
|
The branch is too old for the CI to pick it up. Needs rebase. |
ansibot
removed
ci_verified
webknjaz
added
the
ci_verified
ansibot
added
the
stale_ci
ansibot
added
the
needs_ci
webknjaz
added
the
needs_rebase
ansibot
removed
the
needs_rebase
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
ansibot
removed
the
needs_ci
|
Restarting because the bot keeps sticking this into the review queue and doesn't persist the manually set |
ansibot
removed
ci_verified
webknjaz
added
the
ci_verified
ansibot
added
the
stale_pr
ansibot
added
the
stale_ci
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
Every time an Ansible module is run, it checks that it is running from a
"sane" working directory, a.k.a where it has the permission to be. This
is because when running commands, it might temporarily change its
working directory, then later restore pop the cwd to the previous one.
Therefore, if the module is not run from a working directory where it
has the permission to be, the module will execute fine, but then fail
when trying to restore to the previous directory.
Up until now the way this cwd "sanity" was checked was by checking for
the F_OK and R_OK permissions, which respectively check that the
directory exists and is readable. However, this is actually not
sufficient to check whether you can cwd to it! You also need to check
for X_OK, which for directories mean that the directory is searchable.
See for example:
Basically, this means that Ansible will fail every time you run a
"become" command from a directory with the mode o+r-x.
This commit fixes this issue by adding a requirement for X_OK when
checking the sanity of the current working directory.
ISSUE TYPE
COMPONENT NAME
module_utils